The Regulation of
Investigatory Powers Bill

Key Revocation,
Government Access to Keys and Tipping-Off

The tipping-off offence in the
RIP Bill is useless because criminals can inform their colleagues of any
Government interest in their keys without committing this offence.They are free to issue new keys whenever
they choose and they can identify keys issued as a result of key seizure by
saying for all other keys “my old key is now insecure but not as a result of
seizure” so that keys issued without such a comment immediately identify the
Government interest.

1.
Revoking Keys

Alice and Bob are exchanging encrypted emails, using each
other’s public keys to scramble their messages and their own private keys to
unscramble them.But Alice finds out
that her flatmate, Charlie, has found her private key and can now unscramble
Bob’s messages to Alice as well as Alice herself.

Alice can prevent Charlie from doing this by telling Bob
not to use her existing public key but to use a new key that she supplies.This process is called key revocation and is
normally undertaken when there is a suspicion that a private key has been
revealed or stolen. It is often done at regular intervals just in case this has
happened.

When Bob hears about the problem, he might ask Alice what
happened to the key in question.If he
hears that Charlie has it he might not worry too much but if he hears that
Charlie has given it to all her friends as well he might worry a lot more.It is hence reasonable to explain the
reasons for revoking a key so that users of the key can decide what impact this
has on their own security.

2.Government
Access to Keys and the Tipping-Off Offence

If Godfrey (the Government) seizes Alice’s key, Godfrey
can then read Bob’s messages. But the RIP Bill does not allow Alice to tell Bob
that her key has been seized because this would alert him to Godfrey’s
interest. However, Alice is allowed to revoke her key and issue a new one
provided that she does not say why she has done this.

This aspect of the RIP Bill is presumably present to stop
a criminal from tipping-off his criminal associates that Godfrey is now taking
an interest in them.Unfortunately it
doesn’t work – the tipping-off offence is meaningless because it is very easily
defeated.

If there is a criminal gang using keys to protect their
messages, all that they do is to ensure that when a key is revoked for reasons
other than seizure they say ‘I revoke my key but not because it has been
seized’.There is nothing illegal in
this.But when they revoke a seized key
(which is legal), they simply revoke it and say nothing. Their criminal
colleagues can then immediately conclude from their silence that Godfrey is
around.

This is the cyberspace equivalent of the ‘AA negative
salute’ used in the past to alert AA members to Police speed traps.It shows that criminals can adopt a simple
procedure that allows them to signal that Godfrey is interested in them without
even committing the tipping-off offence.

3. Conclusion

The tipping-off offence will not work against serious
criminals. It is far from obvious that they will worry about the criminal
penalties involved in tipping-off but even if they do, there is a very simple
way in which criminals can warn their colleagues of any Government interest in
their keys.

This is yet one more example of the futility of the
provisions in the RIP Bill for Government Access to Keys (GAK).